Overview

overview

10

Static

static

3

bd617bffc7...18.exe

windows7-x64

10

bd617bffc7...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    19-06-2024 16:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe

  • Size

    231KB

  • MD5

    bd617bffc723c51d89ce55bc7092b337

  • SHA1

    7fdd7819d9af1a9a8555b375f5cf791bd0591588

  • SHA256

    054b6a681af4c0b40553f9d90a62c50c836585faa773eb7142bc440c1f397748

  • SHA512

    3da25b201c3ed18f2239d157e5d45dab3f541b515aa16ebd87e36e1e41bf425b752242dc37758d86c7e73819afabaae60235105b8ea2767870d3b9b78e83387f

  • SSDEEP

    3072:2FKCy9coaUVdWa9tAFPWOC9lXXcwz53WPUjAGBa4SJ/RCLeWLOqkMq6+z:24FaUOa9tevC9FcAW5V4STC4RMq6+

Score
10/10
globeimposterdefense_evasionexecutionimpactpersistenceransomwarespywarestealer

Malware Config

Signatures

  • GlobeImposter

    GlobeImposter is a ransomware first seen in 2017.

    ransomwareglobeimposter
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (8672) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 38 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\tmp9B17.tmp.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2000
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe Delete Shadows /All /Quiet
        3⤵
        • Interacts with shadow copies
        PID:548
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
        3⤵
          PID:908
        • C:\Windows\SysWOW64\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
          3⤵
            PID:1676
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
            3⤵
              PID:676
            • C:\Windows\SysWOW64\attrib.exe
              attrib Default.rdp -s -h
              3⤵
              • Views/modifies file attributes
              PID:1064
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\bd617bffc723c51d89ce55bc7092b337_JaffaCakes118.exe > nul
            2⤵
            • Deletes itself
            PID:484
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1896

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-268080393-3149932598-1824759070-1000\desktop.ini
          Filesize

          1KB

          MD5

          ca2951ff78001b1d994e055605320e7b

          SHA1

          bd00b272731ffa0234e176a356ba8eefcdd97846

          SHA256

          3a2e85bc950fb2615c122d1d97b7e87a3e116e1d507662569c0a01da2c6527f5

          SHA512

          0ef1342aad738e80fbc84d5c6497467cc8efa20b648e04eb165733792c5a2c222166bbcf6e8c6ca296c792bc6072e06d3c8ef2bd3f5a909299934a8cfc7ab310

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp9B17.tmp.bat
          Filesize

          445B

          MD5

          32d8f7a3d0c796cee45f64b63c1cca38

          SHA1

          d58466430a2bba8641bd92c880557379e25b140c

          SHA256

          1a6f73b5c28d1c10f63f2056068c1de61487b8cf8f1dcf7516548df144b3e9ea

          SHA512

          288213b92a03ac750ea319bb23c52e7bdf47f5a47ecb70c905c7610a84c63a3ec0a30801b5880e6def8df2c9f577082072e342198d23a19f64e561923e1ef698

          Download Submit

        • C:\Users\Public\Videos\Read___ME.html
          Filesize

          4KB

          MD5

          b8c499c80ca6cddb4d32b9d9022a1fa1

          SHA1

          b8322e652a5f87805c16bcbb166b28b2deeb397d

          SHA256

          3b3540c92bebb8ffb1364148502a673b142fe9ed64fbea65ea4f87e537ac81e6

          SHA512

          88a776ab4cafcc8e79b8e9873915f5d0fbf417fbc3e19dc272bc9ee68a441522c2eeab4312125509316594588a6a9948552b54f0c52703cdda69bef53329cae2

          Download Submit

        • memory/2236-2-0x0000000000620000-0x0000000000720000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2236-3-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2236-1657-0x0000000000400000-0x00000000004FB000-memory.dmp

          Filesize

          1004KB

          Download

        • memory/2236-3274-0x0000000000400000-0x000000000040F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/2236-3273-0x0000000000620000-0x0000000000720000-memory.dmp

          Filesize

          1024KB

          Download